TBO.com - TBO is Tampa Bay Online

Georgia Also Embroiled In Cyberwar

ADVERTISEMENT

The New York Times

Published: August 13, 2008

Weeks before bombs started falling on Georgia, a security researcher in a Massachusetts suburb was watching an attack against the country in cyberspace.
Jose Nazario of Arbor Networks in Lexington noticed a stream of data that was directed at Georgian government sites containing the message: "win+love+in+Rusia."

Other Internet experts in the United States said that the attacks against Georgia's Internet infrastructure began as early as July 20, with coordinated barrages of millions of requests - known as distributed denial of service, or DDOS, attacks - that overloaded and effectively shut down Georgian servers.

Researchers at Shadowserver, a volunteer group that tracks malicious network activity, reported that the Web site of Georgian President Mikheil Saakashvili had been rendered inoperable for 24 hours by multiple DDOS attacks.

They said the command and control server that directed the attack was based in the United States and had come online several weeks before it began the assault.

As it turns out, July's attack may have been a dress rehearsal for an all-out cyberwar once the shooting started between Georgia and Russia.

According to Internet technical experts, it was the first time a known cyberattack had coincided with a shooting war.

But it will likely not be the last, said Bill Woodcock, research director of the Packet Clearing House, a nonprofit organization that tracks Internet traffic.

Woodcock said cyberattacks were so inexpensive and easy to mount, with few fingerprints, they would almost certainly remain a feature of modern warfare.

"It costs about 4 cents per machine," he said. "You could fund an entire cyberwarfare campaign for the cost of replacing a tank tread, so you would be foolish not to."

Real Perpetrators Unknown

Exactly who was behind the cyberattack is not known. The Georgian government blamed Russia for the attacks, but the Russian government said it was not involved.

In the end, Georgia, with a population of just 4.6 million and a relative latecomer to the Internet, saw little effect beyond inaccessibility to many of its government Web sites, which limited the government's ability to spread its message online and to connect with sympathizers worldwide in fighting with Russia.

It ranks 74th of 234 nation-states in terms of Internet addresses, behind Nigeria, Bangladesh, Bolivia and El Salvador.

Cyberattacks have far less impact on such a country than they might on a more Internet-dependent nation, such as Israel, Estonia or the United States, where vital services such as transportation, power and banking are tied to the Internet.

In Georgia, media, communications and transportation companies were attacked, security researchers said.

Shadowserver saw the attack against Georgia spread to computers throughout the government after Russian troops entered the Georgian province of South Ossetia.

The National Bank of Georgia's Web site was defaced. Images of 20th-century dictators and an image of Georgia's president, Saakashvili, were placed on the site.

"Could this somehow be indirect Russian action? Yes, but considering Russia is past playing nice and uses real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically," said Gadi Evron, an Israeli network security expert.

He assisted in pushing back a cyberattack on Estonia's Internet infrastructure last April and May that followed the removal of a bronze statue of a World War II-era Soviet soldier in Tallinn.

"The nature of what's going on isn't clear," he said.

'Wilderness Of Mirrors'

The phrase "a wilderness of mirrors" usually describes the murky world surrounding opposing intelligence agencies.

It also neatly summarizes the array of conflicting facts and accusations encompassing the cyberwar taking place in tandem with the Russian fighting in Georgia.

In addition to DDOS attacks that crippled Georgia's limited Internet infrastructure, researchers said there was evidence of redirection of Internet traffic through Russian telecommunications firms beginning last weekend.

Attacks continued Tuesday, controlled by software programs located in hosting centers controlled by a Russian telecommunications firms.

A Russian language Web site, stopgeorgia.ru, also continued to operate and offer software for download used for DDOS attacks.

Over the weekend a number of American computer security researchers tracking malicious programs known as botnets, which were blasting streams of useless data at Georgian computers, said they saw clear evidence of a shadowy St. Petersburg-based criminal gang known as the Russian Business Network, or RBN.

"The attackers are using the same tools and the same attack commands that have been used by the RBN and in some cases the attacks are being launched from computers they are known to control," said Don Jackson, director of threat intelligence for SecureWorks, a computer security firm based in Atlanta.

He said that in the run-up to the start of the war over the weekend, computer researchers had watched as botnets were "staged" in preparation for the attack, then launched shortly before Russian airstrikes began Saturday.

The evidence on RBN and whether it is controlled by, or coordinating with the Russian government remains unclear.

The group has been linked to online criminal activities including child pornography, malware, identity theft, phishing and spam.

Other computer researchers said that RBN's role is ambiguous at best. "We are simply seeing the attacks coming from known hosting services," said Paul Ferguson, an advanced threat researcher at Trend Micro, an Internet security company based in Cupertino, Calif.

A Russian government spokesman said the government was not involved, but that it was possible that individuals in Russia or elsewhere had taken it upon themselves to start the attacks.

"I cannot exclude this possibility," said Yevgeniy Khorishko, a spokesman for the Russian Embassy in Washington.

Share this:

Loading Comments...

Email Print

ADVERTISEMENT